"GnuPG uses public-key cryptography so that users may communicate securely. In a public-key system, each user has a pair of keys consisting of a private key and a public key. A user's private key is kept secret; it need never be revealed. The public key may be given to anyone with whom the user wants to communicate." From The GNU Privacy Handbook

GnuPG, GPG, PGP and OpenPGP

The terms "OpenPGP", "PGP", and "GnuPG / GPG" are often used interchangeably. This is a common mistake, since they are distinctly different.

OpenPGP is technically a proposed standard, although it is widely used. OpenPGP is not a program, and shouldn't be referred to as such.

PGP and GnuPG are computer programs that implement the OpenPGP standard.

PGP is an acronym for Pretty Good Privacy, a computer program which provides cryptographic privacy and authentication. For more information, see this Wikipedia article.

GnuPG is an acronym for Gnu Privacy Guard, another computer program which provides cryptographic privacy and authentication. For further information on GnuPG, see this Wikipedia article.

Generating an OpenPGP Key

The core package required to start using OpenPGP, gnupg, is installed by default on Ubuntu systems, as is seahorse, a GNOME application for managing keys. It is called "Passwords and Keys" in Ubuntu.

There are several programs which provide a graphical interface to the GnuPG system.

Make sure that the name on the key is not a pseudonym, and that it matches the name in your passport, or other government issued photo-identification! You can add extra e-mail addresses to the key later.

Type O to create your key.

You need a Passphrase to protect your secret key.

You will be asked for your passphrase twice. Usually, a short sentence or phrase that isn't easy to guess can be used. You would be asked to tap on the keyboard or do any of the things you normally do in order for randomization to take place. This is done so that the encryption algorithm has more human-entered elements, which, combined with the passphrase entered above, will result in the user's private key.

Making an ASCII armored version your public key

There are several sites out there that also allow you to paste an ASCII armored version your public key to import it. This method is often preferred, because the key comes directly from the user. The reasoning behind this preference is that a key on a keyserver may be corrupted, or the keyserver unavailable.

Create an ASCII armored version of your public key using GnuPG by using this command:

gpg --output mykey.asc --export -a $GPGKEY

This is the command using our example:

gpg --output mykey.asc --export -a D8FC66D2

Uploading the key to Ubuntu keyserver

This section explains how to upload your public key to a keyserver so that anyone can download it. Once you have uploaded it to one keyserver, it will propagate to the other keyservers. Eventually most of the keyservers will have a copy of your key. You can accelerate the process by sending your key to several keyservers.

Reading OpenPGP E-mail

OpenPGP implementations can be used to digitally sign, encrypt, and decrypt email messages for heightened security. You can register your own personal OpenPGP keys with Launchpad, and under some situations, Launchpad will send you signed or encrypted email. You would then use OpenPGP support in your mail reader to decrypt these messages or verify a message's digital signature. Of course, you can also use the OpenPGP support in your mail reader to trade encrypted messages with your colleagues, or sign your own messages so that others can have better assurances that the email that appears to come from you actually does come from you.

The instructions below are not intended to provide you with detailed information on OpenPGP, its various implementations, or its use. These instructions simply provide links that can help you set up your mail reader to be compatible with OpenPGP signed and/or encrypted email.

We need your help to flesh out these instructions!

Linux mail readers

This section is not all inclusive. Please feel free to add additional mail clients.

Evolution

Evolution has built-in support for OpenPGP. Look under the Security tab when you edit accounts.

Open Evolution and go to Edit->Preferences.

Choose your email account, click on it, and then click Edit.

Click on the security tab.

In the PGP/GPG Key ID: box, paste your KEY-ID.

Click OK. Click Close.

If you want to use your key in any new email, simply click on the Security menu item in your new mail message, and then click on PGP Sign.

KMail

Kmail / Kontact has built-in support For Gutsy, and later releases, everything required is installed by default. See the Kmail GPG page for details.

Claws Mail

Claws Mail supports OpenPGP through the plugin claws-mail-pgpinline

claws-mail-pgpinline is available in the "Universe" repository.

sudo apt-get install claws-mail-pgpinline

The plugin may have to be loaded manually after installing it. Open Claws Mail and select Configuration -> Plugins

If PGP/Core and PGP/inline are in the Plugins dialogue box, the plugins are loaded correctly.

Otherwise, click on the Load Plugin button towards the bottom of the window. In the file selection dialogue, select pgpinline.so and click the Open button.

When Claws Mail tries to open encrypted e-mail, the program will prompt for your key's passphrase and then show the e-mail with the decrypted message.

Thunderbird

Thunderbird supports OpenPGP through the enigmail plugin.

Enigmail is available in the "Main" repository.

sudo apt-get install enigmail

Configure OpenPGP support in Thunderbird under Enigmail->Preferences and add under GnuPG executable path. The path for GnuPG is /usr/bin/gpg.

Mutt

Create a ~/.mutt directory and copy this file into it: /usr/share/doc/mutt/examples/gpg.rc

Append this line to the muttrc configuration file.

source ~/.mutt/gpg.rc # Use GPG

If you're using Mutt 1.5.13, you'll need to fix the paths to pgpewrap as detailed in this post

Miscellaneous/all platforms (web mail)

This section in need of expansion. Please feel free to add any additional plugins for Firefox or other browsers.

Gmail

If you use the Chrome or the Chromium browser you can use Goopg to sign and verify emails directly from the Gmail web interface. For details click here).

It's All Text!

It's All Text! is a Firefox extension which allows you to edit your mail in your preferred local text editor.

If your editor supports it, this can make handling of encrypted mail easier.

Getting your key signed

The whole point of all this is to create a web of trust. By signing someone's public key, you state that you have checked that the person that uses a certain keypair, is who he says he is and really is in control of the private key. This way a complete network of people who trust each other can be created. This network is called the Strongly connected set. Information about it can be found at http://pgp.cs.uu.nl/

In summary,

Locate someone that lives near you and can meet with you to verify your ID. Sites like http://www.biglumber.com/ are useful for this purpose

Arrange for a meeting. Bring at least one ID with photo and printed fingerprint of your OpenPGP key, ask the same from the person you will be meeting with.

print the resulting key.txt file and bring as many copies to the meeting as you expect to have people sign

Meet, verify your IDs and exchange OpenPGP key fingerprints

Sign the key of the person you've just met. Send him/her the key you've just signed.

Update your keys on the keyserver, the signature you've just created will be uploaded.

Keysigning Guidelines

Since a signature means that you checked and verified that a certain public key belongs to a certain person who is in control of the accompanying private key, you need to follow these guidelines when signing peoples keys:

During the Event

Keysigning is always done after meeting in person

During this meeting you hand each other your OpenPGP key fingerprint and at least one government issued ID with a photograph. These key fingerprints are usually distributed as key fingerprint slips, created by a script such as gpg-key2ps (package: signing-party)

You check whether the name on the key corresponds with the name on the ID and whether the person in front of you is indeed who he says he is.

After the Event

You now have the printed public key information from the other participants.

Example key IDs for the other participants will be E4758D1D, C27659A2, and 09026E7B. Replace these IDs with the key IDs you received from the other participants.

Restoring your keys

Revoking a keypair

In the event your keys are lost or compromised, you should revoke your keypair. This tells other users that your key is no longer reliable.

For security purposes, there is no mechanism in place to revoke a key without a revocation key. As much as you might want to revoke a key, the revocation key prevents malicious revocations. Guard your revocation key with the same care you would use for your private key.

To revoke your key you need to first create a revocation key. Indicate the key to be revoked and direct the output to a file. Continuing with the example used previously:

Un-revoking a keypair

If you unintentionally revoke a key, or find that your key has in fact not been lost or compromised, it is possible to un-revoke your key. First and foremost, ensure that you do not distribute the key, or send it to the keyserver.

Export the key

gpg --export <key> > key.gpg

Split the key into multiple parts. This breaks the key down into multiple parts.

gpgsplit key.gpg

Find which file contains the revocation key. In most cases, it is 000002-002.sig, however you should make sure by using the following. If the sigclass is 0x20, you have the right file. Delete it.

gpg --list-packets 000002-002.sig

Put the key back together

cat 0000* > fixedkey.gpg

Remove the old key

gpg --expert --delete-key <key>

Import the new key

gpg --import fixedkey.gpg

GPG 2.0

GPG 2.0 is not installed as a default application on Ubuntu.

GPG 2.0 is the new kid on the block. GPG 2.0 is aimed or done for the desktops rather than embedded or server applications.

GnuPG2 is available in the "Main" repository since Intrepid, or in the "Universe" repository in earlier releases.

If you want to use gnupg2 with the firegpg firefox extension, you need to install gnupg2 first.

If you are going to use gpg2 for the same purposes as outlined above then you just need to add 2 to the gpg command.

gpg2 --gen-key

Tips and Tricks

Add your key to ~/.bashrc by adding a line similiar to export GPGKEY=YOUR-KEY-ID

gnupg-agent and pinentry-gtk2 are packages that facilitate not having to enter the password for your key every time you want to use it. Open the file ~/.gnupg/gpg.conf in your favorite editor. Browse through it and change what you like. A few useful things to change are:

keyserver-options auto-key-retrieve

use-agent (the Ubuntu default for Gutsy and later releases.)

The former makes gpg automatically retrieve gpg keys when verifying signatures. The latter makes you use gpg-agent, which is very useful if you use gpg a lot but don't like typing your password all the time. It is also required for some programs (such a Kmail) to sign or encrypt messages). Gnupg-agent and pinentry are in Main for Gutsy and automatically installed/configured in Kubuntu. If you are upgrading from Ubuntu 7.04 (Fiesty), the file ~/.gnupg/gpg.conf may have failed to be created by default in your home directory due to a bug in the gnupg package. In that case, GPG agent integration will not be enabled by default. If you have not created your own gpg.conf, you can correct this issue by running cp /usr/share/gnupg/options.skel ~/.gnupg/gpg.conf. If you do have a gpg.conf and are affected by this issue, that command would overwrite it with Ubuntu's default options and wipe any customizations you have made; you can still correct the issue by running echo use-agent >> ~/.gnupg/gpg.conf instead.

Now create the file ~/.gnupg/gpg-agent.conf with the following content:

This will make gpg-agent use pinentry-gtk2 and it will remember your password for 24 hours (please consider the security implications for doing this - anyone gaining access to your computer for 24 hours would then be able to sign anything with your key). For Kubuntu, use pinentry-qt4 instead.

* Changing your password. If you wish to change the password of a key, you can use

gpg --edit-key userid

(the 'real name' part of the userid suffices). Choose passwd in the menu and enter the new password twice. You can leave the menu using quit .